Blog - Title

February, 2011

  • New KB Articles 2/20–2/26

    Hi everyone – we only have 2 articles this week, and one is an update to an existing article:

    Article #



    How to configure DFSR file-type compression in Windows Server 2008


    Redirecting the user's Documents folder to their home directory fails when "Grant the user exclusive rights to Documents" is selected

  • The future is here. It's just not widely distributed yet.

    Hi folks, Ned here again. Despite the reputation for cutting edge technology, a lot of IT departments can get stuck in the now or worse, the past. Since it’s a new year, a new economy, and winter is coming to a close, here are some articles you should find interesting if you are looking to the prospects of your company. I picked technologies that have seen huge increases in advisory cases and general chatter within Microsoft 3rd tier Windows support in the past 12 months. Don’t be left behind in your knowledge (if only because your next employer might care more than your current one).

    This is not limited to Directory Services topics as most AskDS readers don’t have the luxury of that boundary. I stayed within Windows at least.:).

    Active Directory Federation Services 2.0 

    Single-Sign On, SharePoint integration, and inter-company authentication; that covers a lot of buzzword bingo. The volume of ADFS cases has increased so much in the past year that half of all the US Directory Services engineer were pulled out for a week of depth training .For years we got by with only two experts; those days are done. Get familiar with ADFS now, it’s complex technology that’s difficult to learn under a deadline.

    File Server improvements from Windows. Server 2003 to Windows Server 2008 R2. 8 items for 8 years…

    Jose Barreto has compiled a very useful article that covers a variety of enhancements in the most common Windows server role – File Server. Like insane improvements in the scalability of chkdsk, file transfer, and file sharing. It includes many benchmarks and much further reading. Datasets are only getting bigger – five years ago I might see one server a month with a terabyte of data. Now questions around serving 10TB datasets are common.

    Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains

    Far and away our most common Advisory case, the end of Windows Server 2000 support and 2003 mainstream support opened the floodgates. This guidebook is the most comprehensive reference you can find, including checklists, recommended hotfixes, compatibility lists, and known issues. If people would read this end to end before upgrading their domains I’d be out of a job.

    Remote Desktop Services in Windows Server 2008 R2

    Virtual Desktop Infrastructure is another oncoming storm, especially now that SP1 has been released with RemoteFX and Dynamic Memory. Remember when we said service packs would not contain new features? Virtualization is so hot we decided to break our own rule.

    Windows HPC Server 2008 R2

    High Performance Computing clusters were once as rare as an English dentist. Now they seem to be popping up everywhere, thanks to many more HPC applications from vendors and the open source community. I was frankly surprised at how many mainstream uses HPC has now and your business probably fits at least one.

    Cloud Computing for IT Pros

    Finally, you can’t go five minutes without hearing someone mention clouds and much of it is marketing BS. Fortunately, Yung Chou takes time to explain Microsoft's cloud solutions and how they are going to matter to you as a real IT practitioner. And trust me, they will matter if your CEO has anything to say about it – this cloud thing is real and gaining a life all its own.

    That’s probably more than enough for now, I reckon.

    In case you were wondering, the this post’s title is from William Gibson. Every so often he drops a gem.

    Ned "not as pithy" Pyle

  • Friday Mail Sack: No Redesign Edition

    Hello folks, Ned here again. Today we talk PDCs, DFSN, DFSR, AGPM, authentication, PowerShell, Kerberos, event logs, and other random goo. Let’s get to it.


    Is the PDC Emulator required for user authentication? How long can a domain operate without a server that is running the PDC Emulator role?


    It’s not required for direct user authentication unless you are using (unsupported) NT and older operating systems or some Samba flavors. I’ve had customers who didn’t notice their PDCE was offline for weeks or months. Plenty of non-fully routed networks exist where many users have no direct access to that server at all.


    It is used for a great many other things:

    • With the PDCE offline, users who have recently changed their passwords are more likely to get logon or access errors. They will also be more likely to stay locked out if using Account Lockout policies.
    • Time can more easily get out of sync, leading to Kerberos authentication errors down the road.
    • The PDCE being offline will also prevent the creation of certain well-known security groups and users when you are upgrading forests and domains.
    • The AdminSDHolder process will not occur when the PDCE is offline.
    • You will not be able to administer DFS Namespaces.
    • It is where group policies are edited (by default).
    • Finally - and not documented by us - I have seen various non-MS applications over the years that were written for NT and which would stop working if there is no PDCE. There’s no way to know which they might be – a great many were home-made application written by the customer themselves – so you will have to determine this through testing.

    But don’t just trust me; I am a major plagiarizer!

    How Operations Masters Work (see section “Primary Domain Controller (PDC) Emulator”)


    The DFSR help file recommends a full mesh topology only when there are 10 or fewer members. Could you kindly let me know reasons why? We feel that a full mesh will mean more redundancy.


    It’s just trying to prevent a file server administrator from creating an unnecessarily complex or redundant topology, especially since the vast majority of file server deployments do not follow this physical network topology. The help file also makes certain presumptions about the experience level of the reader.

    It’s perfectly ok – from a technical perspective - to make as many connections as you like if using Windows Server 2008 or later. This is not the case with Win2003 R2 (see this old post that applies only to that OS). The main downsides to a lot of connections are:

    • It may lead to replication along slower, non-optimal networks that are already served by other DFSR connections; DFSR does not sense bandwidth or use any site/connection costing. This may itself lead to the networks becoming somewhat slower overall.
    • It will generate slightly more memory and CPU usage on each individual member server (keeping track of all this extra topology is not free).
    • It’s more work to administer. And it’s more complex. And more work + more complex usually = less fun.


    I'm trying setup delegation for Kerberos but I can't configure it for user or computer accounts using AD Users and Computers (DSA.MSC). I’m logged as a domain administrator. Every time when I'm trying activate delegation I get error:

    The following Active Directory error occurred: Access is denied.


    It’s possible that someone has removed the user right for your account to delegate. Check your applied domain security policy (using RSOP or GPRESULT or whatever) to see if this has been monkeyed up:

    Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
    "Enable computer and user accounts to be trusted for delegation"

    The Default Domain Controllers policy will have the built-in Administrators group set for that user right assignment once you create a domain. The privilege serves no purpose being set on servers other than DCs, they don’t care. Changing the defaults for this assignment isn’t necessary or recommended, for reasons that should now be self-evident.


    I want to clear all of my event logs at once on Windows Vista/2008 or later computers. Back in XP/2003 this was pretty easy as there were only 6 logs, but now there are a zillion.


    Your auditors must love you :). Paste this into a batch file and run in an elevated CMD prompt as an administrator:

    Wevtutil el > %temp%\eventlistmsft.txt
    For /f "delims=;" %%i in (%temp%\eventlistmsft.txt) do wevtutil cl "%%i"

    If you run these two commands manually, remember to remove the double percent signs and make them singles; those are being escaped for running in a batch file. I hope you have a systemstate backup, this is forever!


    Can AGPM be installed on any DC? Should it be on all DCs? The PDCE?


    [Answer from AGPM guru Sean Wright]

    You can install it on any server as long as it’s part of the domain  - so a DC, PDCE, or a regular member server. Just needs to be on one computer.


    Is it possible to use Authentication Mechanism Assurance that is available in Windows Server 2008 R2 with a non-Microsoft PKI implementation? Is it possible to use Authentication Mechanism Assurance with any of Service Administration groups Domain Admins or Enterprise Admins? If that is possible what would be the consequences for built-in administrator account, would this account be exempt from Authentication Mechanism Assurance? So that administrators would have a route to fix issues that occurred in the environment, i.e. a get out of jail.


    [Answer from security guru Rob Greene]

    First, some background:

    1. This only works with Smart Card logon. 
    2. This works because the Issuance Policy OID is “added to” msDS-OIDToGroupLink on the OID object in the configuration partition.  There is a msDS-OIDToGroupLinkBl (back link) attribute on the group and on the OID object.
    3. The attribute msDS-OIDToGroupLink attribute on the OID object (in the configuration partition)stores the DN of the group that is going to use it.
    4. Not sure why, but the script expects the groups that are used in this configuration to be Universal groups.  So the question about Administrative groups, none of these are Universal groups except for “Enterprise Admins”.

    So here are the answers:

    Is it possible to use Authentication Mechanism Assurance that is available in Windows Server 2008 R2 with a non-Microsoft PKI implementation?

    Yes, however, you will need to create the Issuance Policies that you plan to use by adding them through the Certificate Template properties as described in the TechNet article.

    Is it possible to use Authentication Mechanism Assurance with any of Service Administration groups Domain Admins or Enterprise Admins?

    This implementation requires that the group be a universal group in order for it to be used.  So the only group of those listed above that is universal is “Enterprise Admins”.  In theory this would work, however in practice it might not be such a great idea.

    If that is possible what would be the consequences for built-in administrator account, would this account be exempt from Authentication Mechanism Assurance?

    In most cases the built-in Administrator account is special cased to allow access to certain things even if their access has somehow been limited.  However, this isn’t the best way to design your security of administrative accounts if you are concerned about not being able to get back into the domain.  You would have similar issues if you made these administrative accounts require Smart Cards for logon, then for some reason the CA hierarchy did not publish a new CRL and the CA required a domain based admin to be able to logon interactively then you would be effectively locked out of your domain also.


    I find references on TechNet to a “rename-computer” PowerShell cmdlet added in Windows 7. But it doesn’t seem to exist.


    Oops. Yeah, it was cut very late but still lives on in some documentation. If you need to rename a computer using PowerShell, the approach I use is:

    (get-wmiobject Win32_ComputerSystem).rename("myputer")

    That keeps it all on one line without need to specify an instance first or mess around with variables. You need to be in an elevated CMD prompt logged in as an administrator, naturally.

    Then you can run restart-computer and you are good to go.


    There are a zillion other ways to rename on the PowerShell command-line, shelling netdom.exe, wmic.exe, using various WMI syntax, new functions, etc.


    Does disabling a DFS Namespace link target still give the referral back to clients, maybe in with an “off” flag or something? We’re concerned that you might still accidentally access a disabled link target somehow.


    [Oddly, this was asked by multiple people this week.]

    Disable actually removes the target from referral responses and nothing but an administrator’s decision can enable it. To confirm this, connect through that DFS namespace and then run this DFSUTIL command-line (you may have to install the Win2003 Support Tools or RSAT or whatever, depending on where you run this):


    It will not list out your disabled link targets at all. For example, here I have two link targets – one enabled, one disabled. As far as DFS responds to referral requests, the other link target does not exist at all when disabled.


    When I enable that link and flush the PKT cache, now I get both targets:



    When DFSR staging fills to the high watermark, what happens to inbound and outbound replication threads? Do we stop replicating until staging is cleared?


    Excellent question, Oz dweller.

    • When you hit the staging quota 90% high watermark, further staging will stop.
    • DFSR will try to delete the oldest files to get down to 60% under the quota.
    • Any files that are on the wire right now being transferred will continue to replicate. Could be one file, could be more.
    • If those files on the wire are ones that the staging cleanup is trying to delete, staging cleanup will not complete (and you get warning 4206).
    • No other files will replicate (even if they were not going to be cleaned out due to “newness”).
    • Once those outstanding active file transfers on the fire complete, staging will be cleaned out successfully.
    • Files will begin staging and replicating again (at least until the next time this happens).

    So the importance of staging space for very large files remains to ensure that quota is at least as large as the N largest files that could be simultaneously replicated inbound/outbound, or you will choke yourself out. From the DFSR performance tuning post:

    • Windows Server 2003 R2: 9 largest files
    • Windows Server 2008: 32 largest files (default registry)
    • Windows Server 2008 R2: 32 largest files (default registry)
    • Windows Server 2008 R2 Read-Only: 16 largest files

    If you want to find the 32 largest files in a replicated folder, here’s a sample PowerShell command:

    Get-ChildItem <replicatedfolderpath> -recurse | Sort-Object length -descending | select-object -first 32 | ft name,length -wrap –auto


    If I create a domain-based namespace (\\\root) and only have member servers for namespace servers, the share can’t browsed to in Windows Explorer. It is there, I just can’t browse it.

    But if I add a DC as a namespace server it immediately appears. If I remove the DC from namespace it disappears from view again, but it is still there. Would this be expected behavior? Is this a “supported” way create a hidden namespace?


    You are seeing some coincidental behavior based on the dual meaning of in this scenario:

    • will resolve to a domain controller when using DNS
    • When a DC hosts a namespace share and you are browsing that DC, you are simply seeing all of its shares. One of those shares happens to be a DFS root namespace.
    • When you are browsing a domain-based namespace not hosted on a DC, you are not going to see that share as it doesn’t exist on the DCs.
    • You can see what’s happening here under the covers with a network capture.
    • Users can still access the root and link shares if they type them in, had them set via logon script, mapped drive, GP Preference Item, etc. This is only a browsing issues.

    It’s not an “unsupported” way to hide shares, but it’s not necessarily effective in the long-term. The way to hide and prevent access to the links and files/folders is through permissions and ABE. This solution is like a share with $ being considered hidden: only as long as people don’t talk about it. :) Not to mention this method is easy for other admins to accidentally “break” it through ignorance or reading blog posts that tell them all the advantages of DFS running on a DC.

    PS: Using a $ does work – at least on a Win2008 R2 DFS root server in a 2008 domain namespace:




    But only until your users talk about it in the break room…

    Other Random Goo

    • The Cubs 2011 schedule is up and you can download the calendar file here. You know you wanna.
    • And in a related story, Kerry Wood has come back with a one year deal! Did you watch him strike out 20 as a rookie in 1998? It was insane. The greatest 1-hitter of all time.
    • posted their spring sci-fi book wish list. Which means that I now have eight new books in my Amazon wish list. >_<
    • As a side note, does anyone like the new format of the Gawker Media blogs? I cannot get used to them and had to switch back to the classic view. The intarwebs seem to be on my side in this. I find myself visiting less often too, which is a real shame – hopefully for them this isn’t another scenario like, redesigning itself into oblivion.
    • Netflix finally gets some serious competition – Amazon Prime now includes free TV and Movie streaming. Free as in $79 a year. Still, very competitive pricing and you know they will rock the selection.
    • I get really mad watching the news as it seems to be staffed primarily by plastic heads reading copy written by people that should be arrested for inciting to riot. So this Cracked article on 5 BS modern myths is helpful to reduce your blood pressure. As always, it is not safe for work and very sweary.

    • But while you’re there anyway (come on, I know you), check out the kick buttitude of Abraham Lincoln.
    • Finally: why are the Finnish so awesomely insane at everything?
    And by everything, I mean only this and rally sport.


    Have a nice weekend folks.

    - Ned “simple and readable” Pyle

  • I moved my PDCE role and accounts started locking out!

    Hi, David here. We’ve seen a few cases on this now, so I wanted to put the word out and explain why it happens and how you can (very easily) prevent it from happening to you.

    The scenario:

    Imagine an ordinary domain admin. Let’s call him Fred. Fred has finally gotten the ok from his management to start deploying shiny new Windows Server 2008 R2 domain controllers (and the new hardware he wanted to do this). Fred brings up a DC and spends several weeks making sure that everything works. Then, confident in the stability of his new DC, he transfers the PDC Emulator role to it. Nothing explodes and everything appears to be good. Mission accomplished, Fred goes home and enjoys the rest of his weekend.

    On Monday morning Fred gets to work and finds out that the help desk is swamped with calls from users whose accounts are locked out. Unlocking the accounts only seems to fix them temporarily, and then they get locked out again. Fred’s manager tells him to undo the change he made over the weekend, which he does. Desperate to figure out why his new DC betrayed him so horribly, Fred opens up a case with Microsoft for support and gets someone on our team.

    Troubleshooting an account lockout:

    Obviously this is a bad situation for Fred, but unfortunately it’s kind of hard to troubleshoot an account lockout without logs from while the problem was happening.

    As an aside here, if you haven’t examined the Security Compliance Manager tool and its included docs, you should probably take a look. It lays out our recommendations around account lockout policies.

    There are multiple tools for troubleshooting account lockouts, but sometimes it pays to go old-school: What we want for this are the Netlogon debug logs, which every domain administrator should be familiar with. Netlogon debug logging can show you all kinds of very useful information for troubleshooting authentication issues, particularly with NTLM authentication. In this situation, it shows us something very interesting if we take a look at the log from the domain controllers of the domain while the accounts are being locked out:

    [LOGON] SamLogon: Transitive Network logon of Domain\User from Computer successfully handled on DC (UseHub is FALSE).

    I should mention here that the netlogon debug logging is NOT turned on by default, which is really just a holdover from the days when your server processor speeds were measured in mhz. It can be a highly useful troubleshooting tool and everyone should know how to turn it on – documented here.

    Here in DS, we spend a lot of time looking at Netlogon debug logs, and when we first saw the above line in the log, we were stumped as to where it was coming from. It’s not something that we normally see at all, and none of us could remember ever seeing it in a case before.

    It turns out that this output only happens in the log under a very specific set of circumstances when the authenticating domain controller decides that it needs to bypass validating the password with the PDC if a bad password is received. When it makes this decision, it sets a parameter called UseHub to FALSE instead of the default of TRUE. Thankfully, it writes this in the netlogon log for us to see; otherwise we’d never have had any clue what it was doing.

    Unfortunately the log didn’t tell us why it was happening - only that it did happen. But, after some snooping in source code and a few dozen emails, we discovered that this decision occurs when the PDC of the domain will not allow us to pass the client’s credentials because the client is using a Lan Manager Authentication Method that is not supported on the PDC.

    Or, in normal language, what it means is that your LMCompatibility settings don’t match.

    Why would this happen just by moving the PDC Emulator role?

    So, like every new operating system, we ship Windows 2008 R2 with enhanced security when compared to its predecessors. Sometimes this security is accomplished by changing the way that OS works to make it harder to attack, or turning off unnecessary services until they are needed. At other times, we simply change default settings on features that were present in previous OS versions, because the majority of the world can now support those higher settings. LMCompatibility is one of those settings. The default for Windows 2008 R2 is a setting of 3: Send NTLM v2 response only/ Allow LM and NTLM.

    In Fred’s case, it turned out that his XP clients all had a setting of 1: Send LM and NTLM responses, while his new PDC emulator had a setting of 5: Send NTLM v2 response only/Refuse LM and NTLM. It’s worth noting that these setting aren’t the default – someone had to choose to put them there. The clients couldn’t use NTLMv2 session security, which is why we couldn’t pass the user’s credentials to the 2008 R2 PDC Emulator for evaluation. The 2003 DCs on the other hand, had a setting of 2: Send LM and NTLM, Use NTLMv2 if negotiated. So when the PDC was running Windows 2003, we didn’t have this problem. So the new Win2008 R2 OS was not specifically an issue – the same issue would have happened to any version of Windows running the PDCE.

    For normal Kerberos logons, we don’t care about LM Compatibility, but there are plenty of applications out there that will default to NTLM – and most applications will retry logons multiple times on your behalf without ever telling you that they’re doing it. In Fred’s environment, all it took was his Outlook clients, connecting to his Exchange CAS servers over http and using NTLM to try and authenticate that connection. The users had changed their passwords that morning and the local DCs didn’t have the new password – so, the password that Outlook used looked “bad” to the local DC. Because of the LM Compatibility mismatch, we couldn’t talk to the PDC, and thus we ended up locking the account out.

    Solving the problem – the right way

    So, Fred’s first inclination upon hearing from support about this might have been to reduce the security setting on the PDC emulator to make everything magically start working. And while this would have been effective, it would not have been the best solution from a security perspective. There are plenty of good reasons why you should want to use the strongest encryption and security algorithms on network communications, especially ones where your users passwords are being handed back and forth between computers for validation.

    The right solution here is that Fred should be centrally managing his settings in a way that fits his network and enforces the best possible level of security. Fortunately there’s a group policy setting that enables him to do just that:


    This setting is located in Computer Configuration ->Windows Settings -> Security Settings -> Local Policies -> Security Options. Notice the very helpful text on the Explain tab that outlines the default settings.

    So, if Fred was confident that all of the computers on his network supported NTLMv2, he could go ahead and use the policy to enforce the highest level of security on his entire network (Send NTLMv2 response only\refuse LM and NTLM). Or, if he suspected that there might be a few applications (or more likely, ancient operating systems) out there that haven’t quite been retired yet that might have problems with NTLMv2, he could use the fourth option instead and just refuse LM connections. As a note here, every supported Windows OS version supports NTLM v2 – so the situations where you can’t use it should be very rare and only happen with specific, third-party applications or OS platforms.

    David “Fred Herring” Beach

  • New KB Articles 2/6–2/19

    I was out of the office last week and did not have a chance to post the new KB articles, so this week you’re in for double the fun.  There are quite a few updates between the last two weeks.  Here they are, separated by week:

    2/13/2011 – 2/19/2011

    Article #



    After you apply a GPO to redirect a folder to a new network share, the redirected folder is empty on client computers that are running Windows Vista or Windows Server 2008


    How To Diagnose Active Directory Replication Failures


    "Terminal Session" targeting item does not work for a Group Policy preferences setting on a client computer that is running Windows Server 2008 or Windows Vista


    The file name of an ADM file is displayed incorrectly in the GPMC report in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2


    How to Turn On Debug Logging of the Active Directory Users and Computers Snap-In


    About the DFS Namespaces service and its configuration data on a computer that is running Windows Server 2003 or Windows Server 2008

    2/6/2011 – 2/12/2011

    Article #



    FIX: The "Validate server certificate" option is enabled on a computer that is running Windows Vista or Windows Server 2008 when you disable this option by using a Group Policy object


    The ACL permission of some DFS folders is  incorrectly reset after you restart the DFS Namespace service in Windows Server 2008


    Cannot use Romanian "Ș" character in computer name on Windows 7


    Computer does not crash when the disk is full after CrashOnAuditFail is set in Windows 7 or in Windows Server 2008 R2


    Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7


    You cannot save changes to the Dial-in property settings of a user account on a Windows Server 2008-based domain controller or on a Windows 7-based computer that has RSAT installed


    The MPR still calls the NPPasswordChangeNotify function to notify a password change event in Windows 7 or in Windows Server 2008 R2 even though the password change is unsuccessful


    Text on logon screen or lock screen may be truncated with some third-party credential providers on Windows 7


    Previous versions of a file or of a folder in a DFS share are not listed if you access the share through a nested DFS link from a computer that is running Windows 7 or Windows Server 2008 R2


    A remote desktop session may be incorrectly disconnected when a smart card is removed in another remote desktop session in Windows Server 2008 or in Windows Server 2008 R2


    You cannot restore large files in the NTFS file system when all the data streams that have sparse attributes are deleted in Windows Server 2008 or in Windows Vista


    Events 1659, 1481, and 1173 are recorded in the Directory Service event log on Windows Server 2008 R2-based domain controllers after you remove Active Directory Domain Services from the last domain controller in a tree root domain


    An AD FS-enabled web application that is published for AD FS authentication on a Windows Server 2008 R2-based computer cannot decode session cookies that are received out of order


    A paged LDAP query fails on the second page and the pages that follow in Windows Server 2008 R2


    Renewal request for an SCEP certificate fails in Windows Server 2008 R2 if the certificate is managed by using NDES


    The Active Directory Users and Computers MMC snap-in and Active Directory Administrative Center display Serbia and Montenegro as one country instead of as two countries in Windows Server 2008 R2 and in Windows 7


    "An external error has occurred" error when you change the user rights of an account in Local Security Policy in Windows Server 2008 R2


    The DFS Replication service leaks download tasks, and an outgoing replication backlog occurs in Windows Server 2008 R2


    A Remote Desktop Services session is disconnected automatically if you apply the "Interactive logon: smart card removal behavior" Group Policy setting in Windows Server 2008 R2 or in Windows 7


    A crash in the Ntfs.sys component on a computer that is running an IA-64-based version of Windows Server 2008 R2


    BACKSPACE or arrow keys do not work in MMC on a computer that is running Windows 7 or Windows Server 2008 R2

  • Friday Mail Sack: The Year 3000 Edition

    Hello all, Ned here again. Today we talk DCDIAG, DFSN, DFSR, group policy, user profiles, migrations, USMT, and the fuuuuuuturrrrrrrrre.


    I have a mixed environment of Win2003 and Win2008 DCs. When I run DCDIAG.EXE it tells me the Windows Server 2003 DCs are failing a service test around RPCSS:

    Starting test: Services

          Invalid service type: RpcSs on DC01, current value

          WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS

       ......................... DC01 failed test Services

    I see some Internet posts that say I should change the value using the SC.EXE command. Do you know why this is different and what’s going on? It looks like the difference is being a service in a shared versus isolated process.


    It’s expected and normal for this service’s behavior type to be 0x10 on Win2003 and 0x20 on Win2008 and later. Do not change it based on what DCDIAG says unless you are running the version of DCDIAG that goes with that OS (this is where much of the Internet got confused on causality versus correlation). Win2008 DCDIAG doesn’t know that Win2003 was designed this way so he can’t give you a reasonable answer – he just wants it to be default in 2008 terms.

    Your assumption around shared versus isolated is totally correct:

    Win2008 R2


    Between Win2003 and Win2008, the behavior changed for the RPC service, but there was nothing yet to “share” in that svchost.exe process. In Win2008 R2, the new RPCEptMapper service was added to that shared svchost. You can see who would launch in that same process by looking for this value in the service registry keys:

    %systemroot%\system32\svchost.exe –k RPCSS

    Later versions of Task Manager make this easier too, if you’re allergic to command-line:


    Svchost.exe exists mainly to lower computer resource usage: the more DLLs that can run in fewer shared processes, the less memory/CPU the OS has to allocate for services. You might think it was OK to change this on Win2003 to stop the error and maybe even get back some resources. The problem with that theory is that on Win2003, you get no resources back (as no one else is going to share that process) and you open yourself up to weird issues – when I tell Windows developers about issues caused services being modified by customers, their first response is “Why on earth would anyone change the service? We don’t test for that at all!”

    Playing around with service configurations is not something you do without valid reason and some tool complaining doesn’t meet that bar.

    Best long term solution: get rid of those remaining Win2003 servers. Then you get all sorts of advantages, like features unlocked by higher functional levels or magically load-balancing bridgeheads

    Plus I get paid.


    Is there a way to disable and enable DFS namespace targets from the command-line? We’re building some automation.


    You can use the Win2008/Vista RSAT (or later) versions of dfsutil.exe with this syntax:

    dfsutil property state offline <DfsPath> [<\\server\share>]
    dfsutil property state online <DfsPath> [\\server\share]

    Nicely buried…


    When I use RSOP.MSC on a Windows 7 computer, I see a lot of missing entries and errors and whatnot.


    Blink and you may miss the reason why:


    Since Vista, the OS has been trying to tell you not to use this tool (which is no longer updated and has no idea about a great number of policies). To get a nice, readable resultant set of policy you need to use GPRESULT.EXE /H foo.htm. Mike has yammered about this before.


    I was curious - has the team heard what the future is for Active Directory, beyond Win2008 R2?


    Lots (that’s my full time job now) but we cannot discuss anything. Don’t worry, the marketing people won’t keep it a secret one moment longer than necessary. And our fearless leader lets things out every so often.


    Can the new MIGAPP.XML included in KB2023591 be used with USMT 3.01?


    [A reprint of a comment reply made to the Deployment Guy site]

    The 4.0 migapp.xml does "work" when used with USMT 3.01 - and by that I mean it is schema compatible, will not cause a fatal error during 3.0 scanstate/loadstate, and will not corrupt the store in any way that I have identified. However, under the covers it may be causing issues within the migration. That XML and Office 2010 have not been tested in any fashion with USMT 3 (and never will be), so while it might appear to work fine on the surface, we have zero idea of any more insidious problems.

    Now, if you are using USMT 3.01 because you have to - such as migrating from Win2000 or to Win XP - I can offer you a supported workaround: migrate to a computer that has Office 2007 installed, then upgrade the Office install to 2010 after the migration is done but before the users log on. Office 2010 will upgrade the Office 2007 settings (mostly – see that KB for details on the limits). 

    Naturally, if you don’t have to use 3… use 4.


    We have Windows Server 2003 DFSR and have started to explore adding Win2008 R2 servers. Is mixing supported and are there any known issues?


    Supported all day. You will need to install this hotfix on all Win2003 R2 DFSR servers:

    KB2462352 DFSR fails from a computer that is running Windows Server 2008 R2 to a computer that is running Windows Server 2003 R2;en-US;2462352

    You will also need the Win2008 (version 44) or later AD schema added if you want to use DFSR for RODCs and if you wanted to customize staging compression behavior:

    What are the Schema Extension Requirements for running Windows Server 2008 DFSR?

    If you want to use Win2008/R2 DFSR throughout and start replacing old servers (and you really should – we’re working pretty hard on the 3rd OS since 2003 came out):

    Series Wrap-up and Downloads - Replacing DFSR Member Hardware or OS


    I have a large number of users with computers that were in a workgroup. They are now moving to a domain, and we need their user profiles converted. USMT seems to be overly complex for me – is there another way?

    [Asked by multiple customers this week, oddly enough. The last gasps of Netware?]


    Yes, we have two ways to do this:

    MOVEUSER.EXE - XP and older, comes from the resource kit

    Win32_UserProfile WMI - Vista and newer:

    These tools correctly change permissions and ProfileList registry settings in order to “move” (i.e. convert) a user profile between local and domain accounts.

    Other Dorky Goo

    • This year is gonna be a sci-fi movie bonanza:
    I didn’t want to like it… but I did.
    The name is Bond. Wyatt Bond.
    No shots of Bucky yet.
    Close encounters of the eleventyth kind
    • Speaking of which, I was able to fight my way through the e-crowds and get tickets to Comic-Con 2011 for self and the wife. She is not exactly geeky but is an epic people watcher – she especially wants to see the day care center. Her theory being that kids will be wearing little gray suits and power ties to rebel against their parent’s uber-nerdiness. Anyone else going?
    • The latest Cracked photo contest was a zingfest - If Everything Was Made By Apple. My favorite was this subtle dig (pretty timely, having read about their latest iPhone security woes yesterday):

    Have a nice weekend folks.

    Ned “the future, Conan?” Pyle

  • RTM RSAT and SP1 Win7 (shot, over)

    Hi all, Ned here.

    Update 4/7/11: The Remote Server Administration Toolkit update to support Windows 7 Service Pack 1 has released. Come and get it:

     Yesterday we announced Windows 7 SP1 availability info. For those that use RSAT to admin from their clients, I am launching a preemptive strike before the comments flow:

    If you have SP1 installed and attempt to install the RTM version of the Remote Server Administration Tools, downloaded from here:

    You will receive error:

    The update is not applicable to your computer

    This is expected behavior and noted in the SP1 deployment guide and on the download page. The RTM version of Win7 RSAT has internal checks to prevent install on later operating systems and service packs. All is not lost though.


    Install RTM RSAT before installing SP1. When already installed, SP1 will update the RSAT component files to SP1 versions. Obviously, this will not work on computers being built from SP1-slipstreamed install media. For example, I had RSAT installed on my own computer when I installed SP1. My Hyper-v Manager snap-in updated automagically:

    Long view

    Install the Win7 SP1 version of the RSAT package once we release it. When it is ready I will update this article as well as post a new article for the RSS crowd.

    The SP1 version of RSAT is planned for April. Telling me how important it is will not move things faster – we know it’s important. Don’t bother trying to override with DISM /Add-Package or PKGMGMR /IP, that will not work either; the top level package in the cab cannot be bypassed.

    Until next time.

    Ned “splash, out” Pyle

  • New Directory Services Content 1/30–2/5

    Hi everyone – we’ve had a few weeks where we did not have any new KB articles posted for DS.  This week we have 3 new articles:

    2028495 - How to troubleshoot Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object"

    2023591 - Information about the User State Migration Tool (USMT) 4.0 update

    2023007 - How to troubleshoot Active Directory operations that fail with error 8456 or 8457: "The source | destination server is currently rejecting replication requests"

    Look for new “How to troubleshoot Active Directory operations that fail with…” articles coming soon.  Also, don’t forget about our TechNet Wiki, where you can find all kinds of great articles.  Here are some relevant articles from last week:

    Wiki Page: DSQUERY (dsforum2wiki)

    Wiki Page: AD FS 2.0 - How to backup the Federation Service

    Wiki Page: Logon Failure: The Target Account Name Is Incorrect (DsForum2wiki)

    Wiki Page: How to resolve the 'trust relationship has been lost with domain controller' error